Jump to: navigation, search

Difference between revisions of "Meetings/VPNaaS"

(Agenda)
(Important)
 
(37 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
= Meetings =
 
= Meetings =
  
* Weekly on-demand on Tuesdays at 1600 UTC
+
* On-demand on Tuesdays at 1600 UTC
 
* IRC channel: #openstack-meeting-3
 
* IRC channel: #openstack-meeting-3
 
* Chair: pc_m (Paul Michali)
 
* Chair: pc_m (Paul Michali)
  
 +
There currently are no planned VPNaaS meetings. If there is an important aspect to discuss, you can either add an on-demand topic to the Neutron IRC meeting, or hold an on-demand meeting in the above reserved channel. If doing the latter, please update the agenda, and next meeting date on this page, and post a notice on the openstack-dev mailing list with ample time for people to allocate time to attend (you may want to request a quorum).
  
If you want to hold a meeting. Update this wiki page with agenda modifications, date of meeting desired, date of update, and then post a notice on the openstack-dev mailing list, at least 24 hours prior to the meeting start time. We have reserved this (new) channel on the IRC for the time/day of week.
 
  
Next meeting: Tuesday, July 14th, 2015.
+
Next meeting: TBD
  
 
= Logs and Minutes=
 
= Logs and Minutes=
Line 14: Line 14:
  
 
= Agenda =
 
= Agenda =
 +
Updated Oct 5th, 2015
  
Updated July 21st, 2015
+
* Local multiple subnet
 
 
* Grenade Plugin
 
* VPN Functional tests for Neutron commits
 
* Migration changes
 
* Local tunnel IP
 
* VPN with HA router
 
* Multiple local subnet enhancement
 
* BGP/MPLS VPN and Edge VPN discussion
 
 
 
  
 
== Announcements ==
 
== Announcements ==
 +
* Endpoint group server and client code is upstreamed.
 +
* Devstack plugin for neutronclient commit to make voting.
 +
* Multiple local subnet feature and CLI pushed for review.
  
* DevStack Plugin is upstreamed, removing VPN setup from DevStack
+
== Multiple Local Subnets ==
* Grenade tests for VPN are experimental right now
+
Server changes (#link https://review.openstack.org/#/c/230164) and Neutron client (#link https://review.openstack.org/#/c/231133) are out for review. Please look them over.
 
 
== Grenade Plugin ==
 
Working on plugin, have code out for review (https://review.openstack.org/#/c/203159/). Having an issue with getting the plugin to actually trigger.
 
  
== VPN Functional Tests for Neutron Commits ==
+
Will work on follow-up commits for functional tests, API documentation, and additional validation.
Testing with dummy Neutron commit, but VPN functional test is NOT using the Neutron patchset, and instead is using latest from Neutron. Investigating.
 
  
== Migration Changes ==
+
DevRef: https://review.openstack.org/#/c/191944
Neutron is changing migration into two branches, one that does the "safe" migration, and one that does the "unsafe" migration (after new version is restarted). Ihar is working on changing both Neutron and VPn repos.
 
 
 
== Local Tunnel IP ==
 
Code out for review (https://review.openstack.org/#/c/199670/). Waiting for Grenade plugin (to be able to test migration part of this change - though I've checked it manually), and changes to migration as mentioned above (of which a minor change is needed to this patch-set), but overall it works (please review!). No client mod is needed.
 
 
 
== VPN with HA Router ==
 
Anything new here (https://review.openstack.org/200636)?
 
 
 
== Multiple Local Subnets on VPN connection ==
 
 
 
Ref: https://bugs.launchpad.net/neutron/+bug/1459423
 
 
 
Still need review of developer reference doc (https://review.openstack.org/#/c/191944), especially from BGP/Edge VPN folks to see if some of this can be reused.
 
 
 
== BGP/MPLS and Edge VPN ==
 
 
 
Need feedback from the BGP team, on the endpoints API proposal to see if it can adapt for use in the future for BGPVPN.
 
 
 
Please contribute use cases to https://etherpad.openstack.org/p/vpn-flavors, so that we can better understand the VPN variants that are being discussed.
 
 
 
Anything to discuss here? Next steps?
 
 
 
Info:
 
 
 
* Edge-VPN http://git.openstack.org/cgit/stackforge/networking-edge-vpn/ with specs:
 
** Edge VPN service provisioning APIs: https://review.openstack.org/#/c/201378
 
** Neutron extension for edge VPN: https://review.openstack.org/#/c/201381
 
* BGP VPN https://github.com/stackforge/networking-bgpvpn with API proposal https://review.openstack.org/#/c/177740
 
  
 
== Bugs under Review ==
 
== Bugs under Review ==
Line 72: Line 35:
  
 
Current reviews:  [https://review.openstack.org/#/q/status:open+project:openstack/neutron-vpnaas,n,z VPNaaS reviews]
 
Current reviews:  [https://review.openstack.org/#/q/status:open+project:openstack/neutron-vpnaas,n,z VPNaaS reviews]
 
Need resolution of gate issues for: https://review.openstack.org/#/c/159746
 
 
  
 
== Open Discussion ==
 
== Open Discussion ==
  
 
== Bucket List ==
 
== Bucket List ==
 +
Here is a list of features/fixes/enhancements that could be done for VPNaaS, with a subjective assessment of the importance of each:
 +
 +
=== Very Important ===
 +
* Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. VPNaaS isn't practical for production use with pre-shared keys, IMHO. (https://bugs.launchpad.net/neutron/+bug/1459427)
 +
* Removing direct dependency on Neutron, causing breakages occasionally (neutron-lib).
  
Here are some ideas for tasks that need to be done (feel free to work on them - put your name by any you choose)...
+
=== Important ===
* Validation that peer IP for VPN connection is of same version as router's GW I/F.
+
* Complete python34 support for test (see tox.ini for disabled tests) (https://bugs.launchpad.net/neutron/+bug/1480326). In review.
* User documentation for Networking Guide. (including limitations/restrictions)
+
* Grenade work to support Advanced Services, so that plugin can be activated (partial implementation).
* Coverage, especially in database and device driver modules, is lacking.
+
* User documentation for Networking Guide for VPNaaS. (including limitations/restrictions)
* Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6).
 
* Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta)
 
* The OpenSwan class should be separated from the ABC definition, and placed into a new module.
 
* Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
 
 
* Documentation on how to use StrongSwan
 
* Documentation on how to use StrongSwan
* Developer Reference Documentation needed.
 
 
* Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
 
* Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
* StrongSwan execute_with_mount() to allow configurable rootwrap config file.
+
* Break out new endpoint-group and multiple local subnet API logic into separate extension(?) so that Horizon can detect when feature is available (Akihiro mentioned).
* Support for BGP/MPLS VPN? DM VPN? OpenVPN (road-warrior)? Can/should they be integrated into VPNaaS?
+
* Complete move of API tests to neutron-vpnaas repo (https://bugs.launchpad.net/neutron/+bug/1483417), and add tests for endpoint-group and multiple local subnet APIs. In review.
* Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created.
+
* Modify neutron-client so that Horizon can detect multiple local subnet capabilities (https://bugs.launchpad.net/neutron/+bug/1515670).
* There is interest by some on other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute).
+
* Check whether or not IPv6 works with *Swan. Likely will need proposed change. (https://bugs.launchpad.net/neutron/+bug/1436864).
* Should enhance/add unit test cases for:
+
* Refactor functional jobs (https://bugs.launchpad.net/neutron/+bug/1495584). In review.
 +
* Temp workaround for cross project breakage would be to run VPN function job during Neutron tests. Can be follow-on steps to https://bugs.launchpad.net/neutron/+bug/1495584 work.
 +
* Deprecate OpenSwan and transition to StrongSwan. May still need Libreswan for Redhat.
 +
 
 +
=== Nice to Have ===
 +
* Check when removing/changing GW I/F that is not used by VPNaaS (may be bug for this).
 +
* Improve coverage in UTs.
 
** Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
 
** Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
** Verification of contents of configuration files created for StrongSwan and OpenSwan.
 
 
** Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
 
** Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
 +
* Refactor the rest of the database tests and remove round trip test cases once similar tests in place.
 +
* Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6). Referenced by https://bugs.launchpad.net/neutron/+bug/1416427
 +
* Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta). Some is covered under https://bugs.launchpad.net/neutron/+bug/1414253.
 +
* The OpenSwan class should be separated from the ABC definition, and placed into a new module.
 +
* Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
 +
* Developer Reference Documentation needed.
 +
* Migrate to using neutronclient extension for VPN (and create job).
 +
* StrongSwan execute_with_mount() to allow configurable rootwrap config file (hard coded currently).
 +
* Check interop of StrongSwan and OpenSwan (https://bugs.launchpad.net/neutron/+bug/1441789).
  
 +
=== Pie in the Sky Items ===
 +
* Explore leveraging off of endpoint group mechanism for other VPN flavors.
 +
* Drivers for other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute) DMVPN, SSLVPN?
  
 
== Interested People ==
 
== Interested People ==
Line 108: Line 85:
 
* Sridhar Ramaswamy (sridha_ram)
 
* Sridhar Ramaswamy (sridha_ram)
 
* Al Miller (ajmiller)
 
* Al Miller (ajmiller)
 
+
* Victor Howard (vichoward)
  
 
== Charter ==
 
== Charter ==

Latest revision as of 17:15, 13 November 2015

Meetings

  • On-demand on Tuesdays at 1600 UTC
  • IRC channel: #openstack-meeting-3
  • Chair: pc_m (Paul Michali)

There currently are no planned VPNaaS meetings. If there is an important aspect to discuss, you can either add an on-demand topic to the Neutron IRC meeting, or hold an on-demand meeting in the above reserved channel. If doing the latter, please update the agenda, and next meeting date on this page, and post a notice on the openstack-dev mailing list with ample time for people to allocate time to attend (you may want to request a quorum).


Next meeting: TBD

Logs and Minutes

Meetings, with their notes and logs, will be found under http://eavesdrop.openstack.org/meetings/vpnaas/

Agenda

Updated Oct 5th, 2015

  • Local multiple subnet

Announcements

  • Endpoint group server and client code is upstreamed.
  • Devstack plugin for neutronclient commit to make voting.
  • Multiple local subnet feature and CLI pushed for review.

Multiple Local Subnets

Server changes (#link https://review.openstack.org/#/c/230164) and Neutron client (#link https://review.openstack.org/#/c/231133) are out for review. Please look them over.

Will work on follow-up commits for functional tests, API documentation, and additional validation.

DevRef: https://review.openstack.org/#/c/191944

Bugs under Review

Current bugs: VPN bugs

Current reviews: VPNaaS reviews

Open Discussion

Bucket List

Here is a list of features/fixes/enhancements that could be done for VPNaaS, with a subjective assessment of the importance of each:

Very Important

  • Certificate support for IPSec (Barbican - see what LBaaS did to use certificate). - RFE created. VPNaaS isn't practical for production use with pre-shared keys, IMHO. (https://bugs.launchpad.net/neutron/+bug/1459427)
  • Removing direct dependency on Neutron, causing breakages occasionally (neutron-lib).

Important

  • Complete python34 support for test (see tox.ini for disabled tests) (https://bugs.launchpad.net/neutron/+bug/1480326). In review.
  • Grenade work to support Advanced Services, so that plugin can be activated (partial implementation).
  • User documentation for Networking Guide for VPNaaS. (including limitations/restrictions)
  • Documentation on how to use StrongSwan
  • Documentation on the differences between StrongSwan and OpenSwan (and any limitations/restrictions of each - e.g. mixing IPv4/v6)
  • Break out new endpoint-group and multiple local subnet API logic into separate extension(?) so that Horizon can detect when feature is available (Akihiro mentioned).
  • Complete move of API tests to neutron-vpnaas repo (https://bugs.launchpad.net/neutron/+bug/1483417), and add tests for endpoint-group and multiple local subnet APIs. In review.
  • Modify neutron-client so that Horizon can detect multiple local subnet capabilities (https://bugs.launchpad.net/neutron/+bug/1515670).
  • Check whether or not IPv6 works with *Swan. Likely will need proposed change. (https://bugs.launchpad.net/neutron/+bug/1436864).
  • Refactor functional jobs (https://bugs.launchpad.net/neutron/+bug/1495584). In review.
  • Temp workaround for cross project breakage would be to run VPN function job during Neutron tests. Can be follow-on steps to https://bugs.launchpad.net/neutron/+bug/1495584 work.
  • Deprecate OpenSwan and transition to StrongSwan. May still need Libreswan for Redhat.

Nice to Have

  • Check when removing/changing GW I/F that is not used by VPNaaS (may be bug for this).
  • Improve coverage in UTs.
    • Checking various sync() cases: router w/o VPN running on it any more; router with VPN running, but no longer a service configured; process running VPN, but no longer VPN configured.
    • Verification of reported status for various cases: connections (active, down, pending create), service (created, deleted, admin down).
  • Refactor the rest of the database tests and remove round trip test cases once similar tests in place.
  • Need more functional tests for OpenSwan device driver (and StrongSwan driver). Identify what's needed (MTU check, connection delete, admin up/down?, non-default configs [API or unit?], IPv6). Referenced by https://bugs.launchpad.net/neutron/+bug/1416427
  • Refactor duplication out of device driver code (OpenSwan, StrongSwan, Cisco, Vyatta). Some is covered under https://bugs.launchpad.net/neutron/+bug/1414253.
  • The OpenSwan class should be separated from the ABC definition, and placed into a new module.
  • Remove /n from execute method in utils.py so that duplicate code can be removed in VPN drivers.
  • Developer Reference Documentation needed.
  • Migrate to using neutronclient extension for VPN (and create job).
  • StrongSwan execute_with_mount() to allow configurable rootwrap config file (hard coded currently).
  • Check interop of StrongSwan and OpenSwan (https://bugs.launchpad.net/neutron/+bug/1441789).

Pie in the Sky Items

  • Explore leveraging off of endpoint group mechanism for other VPN flavors.
  • Drivers for other VPN types (e.g. something similar to AWS DirectConnect and Azure ExpressRoute) DMVPN, SSLVPN?

Interested People

List of people w/IRC that are interested in participating (coding, reviewing, testing, and/or documenting):

  • Paul Michali (pc_m)
  • Sridhar Ramaswamy (sridha_ram)
  • Al Miller (ajmiller)
  • Victor Howard (vichoward)

Charter

VPNaaS Team Charter


Meeting Commands

/join #openstack-meeting-3
#startmeeting vpnaas
#topic Announcements
#undo

...

#endmeeting